[PATCH AUTOSEL 5.10 07/51] rtlwifi: rise completion at the last step of firmware callback

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ping-Ke Shih <pkshih@realtek.com>,
	syzbot+65be4277f3c489293939@syzkaller.appspotmail.com,
	Kalle Valo <kvalo@codeaurora.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 07/51] rtlwifi: rise completion at the last step of firmware callback
Date: Tue, 12 Jan 2021 07:54:49 -0500	[thread overview]
Message-ID: <20210112125534.70280-7-sashal@kernel.org> (raw)
In-Reply-To: <20210112125534.70280-1-sashal@kernel.org>

From: Ping-Ke Shih <pkshih@realtek.com>

[ Upstream commit 4dfde294b9792dcf8615b55c58f093d544f472f0 ]

request_firmware_nowait() which schedules another work is used to load
firmware when USB is probing. If USB is unplugged before running the
firmware work, it goes disconnect ops, and then causes use-after-free.
Though we wait for completion of firmware work before freeing the hw,
firmware callback rises completion too early. So I move it to the
last step.

usb 5-1: Direct firmware load for rtlwifi/rtl8192cufw.bin failed with error -2
rtlwifi: Loading alternative firmware rtlwifi/rtl8192cufw.bin
rtlwifi: Selected firmware is not available
==================================================================
BUG: KASAN: use-after-free in rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93
Write of size 4 at addr ffff8881454cff50 by task kworker/0:6/7379

CPU: 0 PID: 7379 Comm: kworker/0:6 Not tainted 5.10.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93
 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1079
 process_one_work+0x933/0x1520 kernel/workqueue.c:2272
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
 kthread+0x38c/0x460 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

The buggy address belongs to the page:
page:00000000f54435b3 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1454cf
flags: 0x200000000000000()
raw: 0200000000000000 0000000000000000 ffffea00051533c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881454cfe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881454cfe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881454cff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
 ffff8881454cff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881454d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Reported-by: syzbot+65be4277f3c489293939@syzkaller.appspotmail.com
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20201214053106.7748-1-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/realtek/rtlwifi/core.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/realtek/rtlwifi/core.c b/drivers/net/wireless/realtek/rtlwifi/core.c
index a7259dbc953da..965bd95890459 100644
--- a/drivers/net/wireless/realtek/rtlwifi/core.c
+++ b/drivers/net/wireless/realtek/rtlwifi/core.c
@@ -78,7 +78,6 @@ static void rtl_fw_do_work(const struct firmware *firmware, void *context,
 
 	rtl_dbg(rtlpriv, COMP_ERR, DBG_LOUD,
 		"Firmware callback routine entered!\n");
-	complete(&rtlpriv->firmware_loading_complete);
 	if (!firmware) {
 		if (rtlpriv->cfg->alt_fw_name) {
 			err = request_firmware(&firmware,
@@ -91,13 +90,13 @@ static void rtl_fw_do_work(const struct firmware *firmware, void *context,
 		}
 		pr_err("Selected firmware is not available\n");
 		rtlpriv->max_fw_size = 0;
-		return;
+		goto exit;
 	}
 found_alt:
 	if (firmware->size > rtlpriv->max_fw_size) {
 		pr_err("Firmware is too big!\n");
 		release_firmware(firmware);
-		return;
+		goto exit;
 	}
 	if (!is_wow) {
 		memcpy(rtlpriv->rtlhal.pfirmware, firmware->data,
@@ -109,6 +108,9 @@ static void rtl_fw_do_work(const struct firmware *firmware, void *context,
 		rtlpriv->rtlhal.wowlan_fwsize = firmware->size;
 	}
 	release_firmware(firmware);
+
+exit:
+	complete(&rtlpriv->firmware_loading_complete);
 }
 
 void rtl_fw_cb(const struct firmware *firmware, void *context)
-- 
2.27.0

next prev parent reply	other threads:[~2021-01-12 13:19 UTC|newest]

Thread overview: 83+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-12 12:54 [PATCH AUTOSEL 5.10 01/51] ARC: build: remove non-existing bootpImage from KBUILD_IMAGE Sasha Levin
2021-01-12 12:54 ` Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 02/51] ARC: build: add uImage.lzma to the top-level target Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 03/51] ARC: build: add boot_targets to PHONY Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 04/51] ARC: build: move symlink creation to arch/arc/Makefile to avoid race Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 05/51] ARM: omap2: pmic-cpcap: fix maximum voltage to be consistent with defaults on xt875 Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 06/51] ath11k: fix crash caused by NULL rx_channel Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:54 ` Sasha Levin [this message]
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 08/51] netfilter: ipset: fixes possible oops in mtype_resize Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 09/51] ath11k: qmi: try to allocate a big block of DMA memory first Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 10/51] btrfs: fix async discard stall Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 11/51] btrfs: merge critical sections of discard lock in workfn Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 12/51] btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 13/51] regulator: bd718x7: Add enable times Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 14/51] ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 15/51] ARM: dts: ux500/golden: Set display max brightness Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 16/51] qede: fix offload for IPIP tunnel packets Sasha Levin
2021-01-12 12:54 ` [PATCH AUTOSEL 5.10 17/51] stmmac: intel: Add PCI IDs for TGL-H platform Sasha Levin
2021-01-12 12:54   ` Sasha Levin
2021-01-12 12:55 ` [Intel-wired-lan] [PATCH AUTOSEL 5.10 18/51] e1000e: Only run S0ix flows if shutdown succeeded Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 19/51] habanalabs: adjust pci controller init to new firmware Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 20/51] habanalabs/gaudi: retry loading TPC f/w on -EINTR Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 21/51] habanalabs: register to pci shutdown callback Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 22/51] staging: spmi: hisi-spmi-controller: Fix some error handling paths Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 23/51] CDC-NCM: remove "connected" log message Sasha Levin
2021-01-12 13:11   ` Greg Kroah-Hartman
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 24/51] spi: altera: fix return value for altera_spi_txrx() Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 25/51] habanalabs: Fix memleak in hl_device_reset Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 26/51] hwmon: (pwm-fan) Ensure that calculation doesn't discard big period values Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 27/51] lib/raid6: Let $(UNROLL) rules work with macOS userland Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 28/51] kconfig: remove 'kvmconfig' and 'xenconfig' shorthands Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 29/51] spi: fix the divide by 0 error when calculating xfer waiting time Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 30/51] dmaengine: stm32-mdma: fix STM32_MDMA_VERY_HIGH_PRIORITY value Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 31/51] net: usb: qmi_wwan: add Quectel EM160R-GL Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 32/51] io_uring: drop file refs after task cancel Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 33/51] bfq: Fix computation of shallow depth Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 34/51] arch/arc: add copy_user_page() to <asm/page.h> to fix build error on ARC Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 35/51] misdn: dsp: select CONFIG_BITREVERSE Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 36/51] net: ethernet: fs_enet: Add missing MODULE_LICENSE Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 37/51] selftests: fix the return value for UDP GRO test Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 38/51] nvme-pci: mark Samsung PM1725a as IGNORE_DEV_SUBNQN Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 39/51] nvme: avoid possible double fetch in handling CQE Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 40/51] nvmet-rdma: Fix list_del corruption on queue establishment failure Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 41/51] drm/amd/display: fix sysfs amdgpu_current_backlight_pwm NULL pointer issue Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 42/51] drm/amdgpu: fix a GPU hang issue when remove device Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 43/51] drm/amd/pm: fix the failure when change power profile for renoir Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 44/51] drm/amdgpu: fix potential memory leak during navi12 deinitialization Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 45/51] gcc-plugins: fix gcc 11 indigestion with plugins Sasha Levin
2021-01-12 17:31   ` Kees Cook
2021-01-17 16:18     ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 46/51] usb: typec: Fix copy paste error for NVIDIA alt-mode description Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 47/51] iommu/vt-d: Fix lockdep splat in sva bind()/unbind() Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 48/51] ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 49/51] drm/msm: Call msm_init_vram before binding the gpu Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 50/51] ARM: picoxcell: fix missing interrupt-parent properties Sasha Levin
2021-01-12 12:55   ` Sasha Levin
2021-01-12 12:55 ` [PATCH AUTOSEL 5.10 51/51] poll: fix performance regression due to out-of-line __put_user() Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a7259dbc953d dfblob:965bd9589045 )
 OR (
bs:"[PATCH AUTOSEL 5.10 07/51] rtlwifi: rise completion at the last step of firmware callback" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210112125534.70280-7-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pkshih@realtek.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+65be4277f3c489293939@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.